We live in a world where technology is continuously evolving at a rapid pace, and people are connected more than ever before. This has generated a much larger concern for the privacy of people and ways to protect their data. All governments are continuously working to create efficient laws, guidelines, and infrastructure to protect both individual and organizational data.
The threat against data breaches becomes more prevalent, especially with the rise of AI (Artificial Intelligence) and IoT (Internet of Things). These technologies are integrated with several of our daily life utilities such as Voice assistance (Alexa), face recognitions apps, navigation apps, fridge, Netflix, etc. As a consequence, countries are becoming more vigilant in addressing data privacy and protection concerns. Governments worldwide are building proper legal infrastructure to ensure data safety when exchanged, transferred, or stored. GDPR was one of such benchmark laws that protect the privacy of European citizens’ data not only in Europe but across the world.
The UAE has also been forefront in applying laws to protect its citizens and expats from a data breach. Article 31 of the UAE constitution was the first law that touched upon the issue of data protection. The UAE has set up several laws later on to protect the data and privacy of the person, companies, and government. However, there is no federally applicable law in the UAE for data protection. Dubai is the only Emirate that has issued strong laws related to the transfer, exchange, and protection of data. The free zones like DIFC and ADGM were the first to come up with detailed laws that directly address the data protection issues.
To understand the Data Protection laws in the UAE, we have listed the major laws and regulations related to data protection or privacy of data in the country. We have divided these laws and regulations into three categories:
- The Federal Legislations UAE Laws and Regulations
- Dubai Data Protection Laws and Regulations
- Free-zones Laws and Regulations
The Federal Legislations UAE Laws and Regulations
The general principle related to protecting personal privacy was first issued in Article 31 of the UAE constitution in 1971. With the advent of the latest technological advancement, various legislations were added later on to create stronger data protection guidelines.
Article 31 of the UAE constitution: The articles states, “freedom of communication by means of the posts, telegraph or other means of communication and their secrecy shall be guaranteed in accordance with the law.” Any person residing in the UAE has the freedom to communicate via post, telegraph, or other means. The law guarantees them the confidentiality of their communication.
Article 378 and 379 of the UAE Penal Code: Both articles suggest that any individual trying or breaching the privacy of another individual may get punished by means of fine or imprisonment. Article 378 states the act of publishing someone’s personal data related to an individual’s personal or family life is a criminal offense (unless authorized by law or with consent). Following are the acts of invading privacy:
- If the perpetrator lends his/her ears, records, or transmits, through a device, a conversation that has happened in private/phone/electronic device.
- Captures and/or transmits the picture of a person via any kind of device.
- Exceptions: if these acts were done during a meeting in front of attending members, then the consent shall be presumed.
Article 379 prohibits a person entrusted with a “secret” to disclose it without the consent of the individual to whom the secret belongs. The punishment may aggravate when the perpetrator is a public employee.
The Law on the Practice of Human Medicine: Article 13 of Federal Law no. 7 of 1975 forbids doctors from disclosing any secret that a doctor knows about a patient or the patient has confided with. The article also covers several exceptions such as:
- If the secret is asked by the patient.
- If revealing the secret is necessary or in the interest of the spouse, the secret can be divulged to both spouses individually.
- If revealing the secret helps avoid a crime to be committed, it can only be revealed to the concerned authorities.
- If the doctor belongs to the panel of the insurance company and has examined the patient, the doctor can reveal the details to only the insurance company.
The Law Regulating the Telecommunication Sector: Article 72 of Federal Law by Decree No. 3 of 2003 states that any person who copies, discloses, or spreads the content of any communication through a public telecommunication network can be punished with imprisonment for up to one year and fines ranging from AED 50,000 to AED 200,000.
The Cyber Crime Law: Article 21 of Federal Decree no. 5 of 2012 states that it is a criminal offense to use the internet or any electronic device to invade the privacy of another individual. The article covers a large scope where even the mere act of clicking photographs without consent can invite legal troubles. Article 22 of the same law states that it is a criminal offense to use cyber networks, websites, or information technology to violate the privacy of another individual by disclosing confidential information obtained. Using such information to conduct digital frauds invites harsher punishments.
The Law on Printing and Publishing: Article 79 of Federal Law No. 5 of 1980 states no material (news, photographs, comments) related to the secret of personal or family life can be published. Any secret that may defame an individual, his or her wealth, the commercial name must not be revealed. If done with the intent of threatening, extortion, or harm the right to employment, you may face severe punishments.
Internet Access Management Policy (IAM): IAM policy is implemented by Telecommunications and Digital Governance Regulatory Authority (TDRA) in coordination with National Media Council and Etisalat and Du (the licensed internet service providers in the UAE). The policy covers data protection, as it mentions any online content that is used for impersonation, fraud, and phishing or it invades the privacy of an individual or company can be reported to Etisalat and Du.
Dubai Data Protection Laws and Regulations
Dubai is always at the forefront in providing excellent business opportunities. The Emirate maintains global standards for economic and legal infrastructures. Dubai is the first Emirate that has issued laws that directly address the transfer, exchange, and protection of data. Although it doesn’t provide a detailed definition of data and refers to data in general, it does address the matters related to data in detail.
The law states that the “Concerned Authority” shall adopt policies, mechanisms, rules, and standards related to disseminating data when performing its tasks and competencies. The law is also attributed to the data providers and covers all data related to individuals, institutions, and companies.
- Dubai Statistics Center Law: Article 9 of this law states that personal data collected from the statistic activities or research must be kept confidential. Any attempt to exchange or transfer such data is prohibited unless through the DSC or obtained prior permission.
- Health Data Protection Regulations: The Dubai Healthcare City Authority has regulations that specifically address the management of collection, transfer and/or exchange of private health information of a patient.
Free-Zone Data Protection Laws and Regulations
Free Zones in the UAE, Dubai International Financial Center (DIFC), and Abu Dhabi Global Markets (ADGM) were the first to adopt special and exclusive legislation related to Data Protection.
The DIFC: The DIFC Law No. 1 of 2007 has covered in detail the guidelines for the general processing of personal data, rights of data subjects, notification to the commissioner of data protection, remedies, liability, and sanctions. It also covers the guidelines for the appointment, powers, and functions of the Commissioner of Data Protection. The last section of the law covers general exemptions.
Following the global best practices related to data privacy, the new law was issued, Data Protection Law No. 5 of 2020. The law came into force on July 1st, 2020. The law comes with updated regulations and a three-month grace period for businesses to comply. Law no. 5 describes:
- Procedures for the notifications to the Commissioner of Data. Protection, fines, record keeping, accountability, and adequate jurisdictions for cross-border transfers of personal data.
- Individuals’ rights are explained in terms of data usage by entities that collect and manage personal data.
- Contractual clarity of rights while engaging with vendors of the latest technologies such as AI, IoT, and Blockchain.
- Appropriate data sharing structures between government authorities.
- New and strict fines for serious breaches of the Data Protection Law, and increased fine limits.
The updated data protection laws and regulations reflect DIFC’s commitment to developing an empowering business ecosystem with strong regulatory and compliance guidelines for companies operating in the DIFC. The law combines the global best practices and laws derived from world-class data protection laws such as General Data Protection Regulation (GDPR).
The ADGM: Abu Dhabi Global Market enacts new Data Protection law in February 2021 by replacing the Data Protection Law of 2015. The new law has played a substantial role in bringing the relations closer to the European Union’s data protection laws. The few notable amendments to the previous laws are:
- Establishment of a new independent Office of Data Protection (ODP).
- Stricter penalties for non-compliance that can go up to $ 28 million for serious breaches.
- Businesses also have record-keeping obligations related to their data processing and data security duties and may also appoint a data protection officer.
Is GDPR applicable to UAE?
General Data Protection Regulation came into effect on May 25th of 2018. The European Union regulation aims at unifying data protection rules and procedures across the European Union. The law aims at protecting people’s personal data from thefts, breaches and maintains privacy. Although the law is primarily designed for the data protection and privacy of people living in the EU and the European Economic Area (EAA), it also extends to the export of personal data to companies and jurisdictions abroad.
Any UAE-based company that handles the personal data of European residents and citizens must follow the guidelines of GDPR. Even if the company has no direct presence in Europe needs to comply with the law. The six rights GDPR provides the citizens of EU and EAA are:
- The right to access, update, or delete the personal information they have on you.
- The right of rectification.
- The right to object.
- The right of restriction.
- The right to data portability.
- The right to withdraw consent.
Unlike European Union and other countries, UAE does not have Federal legislation that regulates data protection in the entire country. However, there are numerous provisions across various laws. Along with this government of each Emirate has laws and guidelines to address data protection of residents and citizens.
All organizations conducting business in the UAE are expected to use legal, ethical, and profitable data. There a lot of points an organization need to consider with respect to data security. Fortunately, you do not have to navigate through this alone. Our experienced lawyers are there to guide you if you encounter any legal trouble related to Data protection law in UAE.